Commit 0bdae603e8 for openssl.org

commit 0bdae603e82f74f037711a3b813c721d510b8ebb
Author: sftcd <stephen.farrell@cs.tcd.ie>
Date:   Thu Dec 18 14:39:10 2025 +0000

    ossl_ech_get_retry_configs(): Check for integer overflow

    Fixes DEF-02-010

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    MergeDate: Wed Feb 11 17:19:16 2026
    (Merged from https://github.com/openssl/openssl/pull/29593)

diff --git a/ssl/ech/ech_internal.c b/ssl/ech/ech_internal.c
index 366637bab0..f93d92d4d8 100644
--- a/ssl/ech/ech_internal.c
+++ b/ssl/ech/ech_internal.c
@@ -253,6 +253,8 @@ int ossl_ech_get_retry_configs(SSL_CONNECTION *s, unsigned char **rcfgs,
     for (i = 0; i != num; i++) {
         ee = sk_OSSL_ECHSTORE_ENTRY_value(es->entries, i);
         if (ee != NULL && ee->for_retry == OSSL_ECH_FOR_RETRY) {
+            if (ee->encoded_len > SIZE_MAX - retslen)
+                return 0;
             tmp = (unsigned char *)OPENSSL_realloc(rets,
                 retslen + ee->encoded_len);
             if (tmp == NULL)